Facebook is in trouble again. The social network may have violated federal privacy laws by scanning private messages without user consent. A class-action lawsuit has been filed in Northern California District Court, over allegations that the company systematically scans its users’ private messages for links.

Facebook alleged to have stored links sent in private messages

The plaintiffs have alleged that Facebook routinely scans private messages. While the company does that to scan for URLs for malware protection and industry-standard searches for child pornography, the lawsuit claims that Facebook also uses this data for advertising and other purposes. Plaintiffs allege that by maintaining those records in a searchable form, Facebook is violating the Electronic Communications Privacy Act and the California Invasion of Privacy Act.

Facebook has responded that the company scans private data in bulk and maintains this data in anonymized form. The social network has said that the data from the private messages is stored and retrieved in a way which is “more akin to The New York Times publishing a list of bestselling books…the anonymized and aggregated data is used to indicate the popularity of information.“

The records […] may be put to any use, for any reason, by any Facebook employee, at any time. – Plaintiffs

The plaintiffs have apparently gained access to Facebook’s source code (exhibits are still under seal), and have claimed that the technical analysis performed contradicts Facebook’s response. Research done on behalf of plaintiffs shows that each URL sent in a private message is stored in a database which shows both the data, time, and the user IDs of the sender and the recipient. The analysis further provides information that a Facebook employee could search this database to identify anyone who sent or received a URL-added private message. Facebook lawyers have called this analysis as “speculative.”

Court has ruled out any monetary damages, which means that the court can prohibit Facebook from continuing similar scans or storing the data, but the plaintiffs won’t receive any payouts as a result. In response to this, Facebook also seemed to agree that the site engaged in this practice, at least in the past.

We agree with the court’s finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis.

While Facebook can store data indefinitely to target content and advertisements, content shared in private messages is private, posing a privacy concern if the company stores a record of who sends/receives what links. Plaintiffs have to file an amended complaint by June 8, after which the court will decide if Facebook’s private link-logging practices violated the ECPA or CIPA.